Frequently Asked Questions

Exploita is an AI-powered defensive security scanning platform designed exclusively for legitimate security professionals and website owners to identify vulnerabilities in their own systems. Our automated engine runs 200+ security checks to help you find and fix vulnerabilities before malicious actors exploit them.

Yes — but ONLY when used to scan systems you own or have explicit written authorization to test. Exploita is a defensive security tool, not a hacking tool. Scanning any system without proper authorization is illegal under laws such as the Computer Fraud and Abuse Act (US), Computer Misuse Act (UK), and EU Directive 2013/40/EU. Users who scan unauthorized targets will have their accounts permanently terminated and may be reported to law enforcement. We strongly recommend keeping written documentation of your authorization on file.

This is a serious violation of our Terms of Service and is illegal. We will immediately and permanently terminate the account without refund, retain all associated data for law enforcement purposes, and may proactively report the activity to relevant law enforcement authorities. Exploita monitors for suspicious usage patterns and cooperates fully with any law enforcement investigations. The User bears full and sole legal responsibility for all scans they initiate.

No. Exploita provides scan results "as-is" for informational purposes only. Our scans are not a substitute for professional penetration testing or security audits. We do not guarantee detection of all vulnerabilities, and we accept no liability for security breaches, data loss, or any damages to your systems — regardless of whether a scan was performed. You are solely responsible for your own security posture and remediation.

Tokens are the virtual currency used to run scans. Each scan type has a different cost: Basic scans use ~15 tokens, Deep scans ~50 tokens, Ultra Intense scans ~100 tokens. Free accounts receive 100 tokens upon signup. Pro subscribers receive 1,000 tokens per month. Tokens consumed for completed scans are non-refundable.

Free plan tokens never expire. Pro plan tokens refresh monthly — unused tokens do not roll over. One-time token purchases do not expire. Accounts terminated for Terms violations forfeit all remaining tokens without refund.

Our engine covers the full OWASP Top 10 (SQL injection, XSS, CSRF, SSRF, broken authentication, etc.), plus misconfigurations, exposed APIs, weak TLS/SSL, subdomain takeover risks, and infrastructure vulnerabilities. Results are informational and should be validated by a qualified security professional.

Basic scans: 1-3 minutes. Deep scans: 5-15 minutes. Ultra Intense scans: 15-45 minutes. Times vary based on target size and complexity.

Scan results are confidential and only accessible to your account. We do not sell or share scan results with third parties. However, as stated in our Privacy Policy, we may disclose scan data (including targets and results) to law enforcement when required by law or when we have a good-faith belief that disclosure is necessary to investigate illegal activity.

Absolutely not. You may ONLY scan websites and applications that you own or have explicit written authorization to test. Scanning unauthorized targets is a violation of our Terms of Service and is illegal. There are no exceptions. If you are a security professional performing authorized testing, ensure you have written permission from the system owner before scanning.

Exploita requires you to verify each domain via DNS TXT record before scans can be initiated. This is a technical control that proves you have access to modify the domain's DNS records, creating an audit trail for compliance and abuse prevention. However, DNS verification does NOT constitute legal authorization — you must still have explicit written permission from the domain's lawful owner. Verification is necessary but not sufficient.

No. Domain verification proves DNS access only — it does not prove legal ownership or authorization. You remain fully and solely responsible for ensuring you have proper legal authorization from the domain owner before initiating any scan. Scanning a verified domain without authorization is still a violation of our Terms of Service and may constitute a criminal offense.

You must successfully verify a domain before launching scans. Common issues include: DNS propagation delays (wait 15-30 minutes after adding the TXT record), incorrect record format, or DNS management not under your direct control. If verification fails after 48 hours, contact support at Contact us for troubleshooting assistance.

We retain scan results for 12 months. Scan target logs (domains scanned, timestamps, IP addresses) are retained for a minimum of 36 months for compliance and legal purposes. Data related to accounts terminated for Terms violations may be retained indefinitely. See our Privacy Policy and GDPR page for full details.

If a scan fails due to a platform error, tokens are automatically credited back. If a scan fails because the target is unreachable or blocks the scan, tokens are consumed as the service was attempted.

Unused tokens can be refunded within 14 days of purchase. Consumed tokens are non-refundable. Accounts terminated for Terms violations forfeit all tokens without any refund. See our full Refund Policy for details.

Yes, fully and without reservation. We cooperate with law enforcement authorities and regulatory bodies in the investigation of suspected illegal activity. We may disclose user data, scan history, and all associated records in response to valid legal requests, and we may proactively report suspected illegal activity to the relevant authorities.

You can delete your account from Settings. However, certain data (scan target logs, compliance records, and data related to abuse investigations or Terms violations) may be retained in accordance with our legal obligations and legitimate interests as described in our Privacy Policy and GDPR Compliance page.

General inquiries: Contact us. Billing: Contact us. Privacy & data requests: Contact us. Legal: Contact us. Enterprise customers have dedicated account managers.